http://status.net/wiki/Security_alert_0000003
The open-source OpenID and OAuth authentication libraries shipped with
versions of StatusNet up through 0.9.3 are potentially vulnerable to
timing attacks, which could be used to forge authentication tokens and
thus access account data.
Fixes for the libraries are being worked on, and a release of StatusNet
including fixed versions should be available shortly.
= News =
* 13 July 2010 - Initial report from security researchers to
openid-security list; more details to come at Black Hat presentation:
http://lists.openid.net/pipermail/openid-security/2010-July/001156.html
* 16 July 2010 - Story broken generally within tech community
* 17 July 2010 - provisional patches submitted upstream; OpenID
temporarily disabled on status.net hosted sites; notice posted here and
to status.net blog.
= Workaround =
While we believe the direct threat is low, disabling OpenID logins is a
reasonable precaution. In StatusNet 0.9.x, the OpenID plugin is loaded
by default and may be disabled by adding this line to config.php:
unset($config['plugins']['default']['OpenID']);
For older versions of StatusNet, add this config.php setting:
$config['openid']['enabled'] = false;
= Fix =
While waiting for final upstream fixes, you can try patching the copies
of the libraries shipped in StatusNet's extlib subdirectory; however
these provisional patches have not been formally reviewed and are at
your own risk:
* Provisional patch for php-openid:
http://github.com/openid/php-openid/issues/#issue/18
* Provisional patch for OAuth:
http://code.google.com/p/oauth/issues/detail?id=178
-- brion vibber (brion @ status.net)
_______________________________________________
StatusNet-dev mailing list
StatusNet-dev@lists.status.net
http://lists.status.net/mailman/listinfo/statusnet-dev
